Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider using Admission Webhooks to validate crds #2

Open
jonaspetersorensen opened this issue Sep 29, 2018 · 1 comment
Open

Consider using Admission Webhooks to validate crds #2

jonaspetersorensen opened this issue Sep 29, 2018 · 1 comment
Labels
enhancement New feature or request

Comments

@jonaspetersorensen
Copy link

Admission controllers sound pretty awesome,
ex blog post:

Admission controllers are used for intercepting the requests to Kubernetes API, such as creating a Deployment, a new ConfigMap, etc. In other words, any Kubernetes object can be caught with admission controllers and modified before persisting them in the database. They can also be used to reject the objects, and many admission controllers might be chained to perform a set of checks. In short, admission controllers can be categorized as “validating” which accepts or rejects an object, and they can also be “mutating” which modifies the object before persistence.

The ability to intercept the objects before saving them allows enforcing some rules. For instance, you might want to let only a single domain of Docker images to pull, or you might enforce a naming scheme for objects, prevent some labels from being used, or add sidecar containers to each of your containers. The main reason why admission controllers are useful is that you can continue interacting with API server with proper credentials, and you do not have to create an additional proxy layer or a handler, and you maintain a fewer number of and smaller components, and it becomes easier to modify and swap them.

Link to official docs, Using Admission Controllers

The problem is that to create our own plugin admission controllers we need to

  • Compile them into the kube-apiserver
  • They are only configurable when the apiserver starts up

So a no-go when it comes to managed k8s.

This is where ValidatingAdmissionWebhook and MutatingAdmissionWebhook comes into play.

Two features, Admission Webhooks (beta in 1.9) and Initializers (alpha), address these limitations. They allow admission controllers to be developed out-of-tree and configured at runtime.

See official docs, https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/
@jonaspetersorensen jonaspetersorensen added the enhancement New feature or request label Sep 29, 2018
@jonaspetersorensen jonaspetersorensen mentioned this issue Sep 29, 2018
Closed
@jonaspetersorensen
Copy link
Author

Ofc, this all only makes sense if you choose to extend the api :)

@emirgens emirgens linked a pull request Sep 4, 2023 that will close this issue
update workflow deploy only equinor/radix-public-site#239
Merged
@emirgens emirgens removed a link to a pull request Sep 4, 2023
update workflow deploy only equinor/radix-public-site#239
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jonaspetersorensen